5 files changed, 20 insertions, 18 deletions
diff --git a/Makefile.in b/Makefile.in
index 76626fc6b..1a2e743a6 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -92,13 +92,13 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
        kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
        kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
        kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
-        platform-pledge.o
+        platform.o platform-pledge.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
        sshconnect.o sshconnect1.o sshconnect2.o mux.o
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-        audit.o audit-bsm.o audit-linux.o platform.o \
+        audit.o audit-bsm.o audit-linux.o \
        sshpty.o sshlogin.o servconf.o serverloop.o \
        auth.o auth1.o auth2.o auth-options.o session.o \
        auth-chall.o auth2-chall.o groupaccess.o \
diff --git a/platform.c b/platform.c
index 1f68df3a6..ee3e06914 100644
--- a/platform.c
+++ b/platform.c
@@ -19,6 +19,9 @@
 #include "includes.h"
 #include <sys/types.h>
+#if defined(HAVE_SYS_PRCTL_H)
+#include <sys/prctl.h>  /* For prctl() and PR_SET_DUMPABLE */
+#endif
 #include <stdarg.h>
 #include <unistd.h>
@@ -217,3 +220,14 @@ platform_sys_dir_uid(uid_t uid)
 #endif
        return 0;
 }
+void
+platform_disable_tracing(int strict)
+{
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+        /* Disable ptrace on Linux without sgid bit */
+        if (prctl(PR_SET_DUMPABLE, 0) != 0)
+                if (strict)
+                        fatal("unable to make the process undumpable");
+#endif
+}
diff --git a/platform.h b/platform.h
index e687c99b6..e97ecd909 100644
--- a/platform.h
+++ b/platform.h
@@ -31,6 +31,7 @@ void platform_setusercontext_post_groups(struct passwd *);
 char *platform_get_krb5_client(const char *);
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
+void platform_disable_tracing(int);
 /* in platform-pledge.c */
 void platform_pledge_agent(void);
diff --git a/sftp-server.c b/sftp-server.c
index e11a1b89b..646286a3c 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -29,9 +29,6 @@
 #ifdef HAVE_SYS_STATVFS_H
 #include <sys/statvfs.h>
 #endif
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>
-#endif
 #include <dirent.h>
 #include <errno.h>
@@ -1588,16 +1585,13 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
        log_init(__progname, log_level, log_facility, log_stderr);
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
        /*
-         * On Linux, we should try to avoid making /proc/self/{mem,maps}
+         * On platforms where we can, avoid making /proc/self/{mem,maps}
         * available to the user so that sftp access doesn't automatically
         * imply arbitrary code execution access that will break
         * restricted configurations.
         */
-        if (prctl(PR_SET_DUMPABLE, 0) != 0)
+        platform_disable_tracing(1);    /* strict */
-                fatal("unable to make the process undumpable");
-#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
        /* Drop any fine-grained privileges we don't need */
        platform_pledge_sftp_server();
diff --git a/ssh-agent.c b/ssh-agent.c
index 8aa25b30d..25d6ebc53 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -88,10 +88,6 @@
 #include "ssh-pkcs11.h"
 #endif
-#if defined(HAVE_SYS_PRCTL_H)
-#include <sys/prctl.h>  /* For prctl() and PR_SET_DUMPABLE */
-#endif
 typedef enum {
        AUTH_UNUSED,
        AUTH_SOCKET,
@@ -1209,10 +1205,7 @@ main(int ac, char **av)
        setegid(getgid());
        setgid(getgid());
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+        platform_disable_tracing(0);    /* strict=no */
-        /* Disable ptrace on Linux without sgid bit */
-        prctl(PR_SET_DUMPABLE, 0);
-#endif
 #ifdef WITH_OPENSSL
        OpenSSL_add_all_algorithms();